[Freeipa-users] Trouble creating replica

[John Dennis]

On 02/20/2013 08:43 AM, Bret Wortman wrote:
 > [root at oldmaster]# pkicontrol start ca PKI-IPA
> PKI-IPA is an invalid 'pki-ca' instance
> [root at oldmaster]#
>
> Is there another, preferred way to start it?

pkiconsole is used to monitor/configure your instance, it's a GUI 
application. Perhaps it can also be used to start/stop instances but 
I've never seen it used that way and we don't use pkiconsole at all.

Normally the pki-ca instance is controlled using the same service 
commands for any other daemon. Some of this has been in flux so the 
details may depend on your exact OS. If you don't provide a specific 
instance to start/stop then the service command will apply the action to 
all your instances, usaully this is fine as usaully you only have one 
instance.

As for debugging what is going on. pki-ca is a tomcat instance. You need 
to locate it's log files under /var/log depending on the release it can 
be named slightly differently but it should be obvious. You need to 
understand how a tomcat instance starts, again this depends on the 
release. Early start up messages will be written to catalina.out, those 
are tomcat specific messages, if you have problems opening sockets (for 
instance bad certs) it should show up in this file. Once tomcat hands 
control over to the application (i.e. pki-ca) you will see messages in 
the "debug" file located under the /var/log/pki-ca (or whatever, depends 
on the release) directory. As I said it should be easy to find. Look in 
that file for obvious problems.

HTH,

I forget the exact version you're running on which OS. If the above is 
not specific enough we can get the dogtag folks to jump in.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/